To take these points separately: [quote="A_Hull"]The data gives us the ability to track changes to the AD, things like last logon domain logon time of both the user and the machine
Presumably this will need us to retain a lot of historical data in the LDAP tables (in the same way that software is tracked in OA)?
[quote="A_Hull"]also since we are picking up info from more than one domain, we can now look up user and computer ldap details for all of the domains, rather than just the currently attached domain.
We can do this now and is something I've just started working on. Now that we have functionality to define multiple LDAP sources (i.e. connections on the LDAP config page), we can use this connection info when pulling up LDAP details for a particular user or system - using the domain name to identify which LDAP connection we need to use*. This also eliminates the need for the LDAP connection settings on the config -> security page.
[quote="A_Hull"]One final point, some people run multiple AD schemas, and audit each, merging the database, in this case the ldap audit script may be run from a domain which is not even a part of the current trust relationships or schema, and thus we couldn't see any of these details directly.
Not sure what you're driving at here. We're using LDAP to pull the details - either "live" when requested or by pulling them into the OA DB by auditing. It doesn't matter what trusts are in place provided we have the necessary credentials to access the source data via LDAP.
[quote="A_Hull"]Finally if I back up the database, and restore it at a future date I can see how things were at a particular time.
I guess that could be useful.
[quote="A_Hull"]One little trick I just thought of, if we harvest the full details, it would be possible to recreate a user, or indeed a whole bunch of users in the AD (using a vbscript or whatever) even if some halfwit deletes them either accidentally or on purpose. One could even recreate some or all of the users and/or computers in an entirely new domain or forest.
In AD, the single most important user properties are objectSid, sIDHistory and objectGUID, none of which can be written to using LDAP, so a genuine backup/restore type process isn't possible using this method. There are simply better tools freely available to do this for AD. I don't have experience enough of other LDAP schemas to comment on them.
* I also intend to add similar functionality to the LDAP login page to allow authentication from any of the pre-defined LDAP sources
_________________ Cheers, Nick.
[size=85]OA Server: Windows Server 2003 / Apache 2 Auditing: 1600 Workstations, 200 Servers OS's: Windows XP / Windows 2000 / Windows 2003 Server / Windows Vista LDAP: Active Directory[/size]
|